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Amendment 

Amendments to the Claims : Please replace all prior versions and listings of claims with the 
following listing of claims. 

Listing of Claims: 

1. (Currently Amended) A method for detecting and preventing attacks directed at a 
target system, comprising: 

receiving one or more packets originating from a source system, wherein the received 
packets are directed to the target system; 

monitoring the received packets to determine whether one or more of the received 
packets include one or more harmful computer code signatures, and further monitoring the 
received packets to identify determine whether one or more of the received packets that 
include identifying information associated with an attack signature, the attack signature that 
has a history of being included in packets associated with one or more previous attacks 
directed at the target system; 

detecting an attack directed at the target system if one or more of the monitored 
packets include one or more of the harmful computer code signatures, and further detecting 
the [[an]] attack directed at the target system when if one or more of the monitored packets 
include the identifying information that has the history of being included in packets associated 
with the attack signature previous attacks directed at the target system ; 

creating an attack profile based on information related to associated with the detected 
attack, wherein the attack profile includes provides identifying information related to included 
in the monitored packets that include the harmful computer code signatures, and wherein the 
attack profile further provides the identifying information that has the history of being 
included in packets associated with the attack signature previous attacks directed at the target 
system ; 

blocking one or more of the monitored packets that include i nformation associated 
with the attack profi l e from being transmitted to the target system , wherein the blocked 
packets include the identifying information provided in the attack profile ; and 
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blocking one or more subsequently received packets from being transmitted to the 
target system when if a severity of the detected attack exceeds a predetermined threshold, 
wherein the subsequently blocked packets including one or more of include packets originating 
from the source system [[or]] and packets directed to the target system. 

2. (Currently Amended) The method according to claim 1, wherein monitoring the 
packets inc l udes determining at least one of identifying information [[or]] provided in the 
attack profile identifies a type of communication associated with the monitored packets 
detected attack . 

3. (Currently Amended) The method according to claim [[2]] 1, wherein the identifying 
information provided in the attack profile identifies i nc l udes at least one of a source Internet 
Protocol address, a source port number, a destination Internet Protocol address, or a 
destination port number associated with the detected attack . 

4. (Currently Amended) The method according to claim 2, wherein the type of 
communication associated with the detected attack includes at least one of File Transfer 
Protocol, Simple Mail Transfer Protocol, Telnet, Domain Name System, Windows Internet 
Name System, HyperText Transfer Protocol, Traceroute, instant messaging, or chat. 

5. (Currently Amended) The method according to claim [[1]] 2, wherein monitoring the 
received packets are monitored inc l udes usinfi Transmission Control Protocol/Internet Protocol 
at an application layer to characterize the type of communication associated with the packets 
originating from the source system . 

6. (Previously Presented) The method according to claim 1, further comprising 
determining the severity of the detected attack based on at least one of a frequency of the 
previous attacks, a type of communication used in the previous attacks, an amount of 
bandwidth usage associated with the previous attacks, or a volume of the received packets. 
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7. (Currently Amended) The method according to claim 1, wherein blocking the packets 
from being transmitted to the target system includes instructing at least one of a router, a hub, 
a server, or a firewall to disable a communication channel connecting the source system to the 
target system . 

8. (Previously Presented) The method according to claim 1, further comprising notifying 
the source system that the attack has been detected and that a block was placed on packets 
received from the source system. 

9. (Currently Amended) The method according to claim 1, wherein blocking the 
subsequently received packets ore blocked from being transmitted to the target system expires 
after at least one of [[for]] a predetermined amount of time , a predetermined period of 
inactivity, or an occurrence of a triggering event . 

10. (Currently Amended) A system for protecting a computer network, comprising at least 
one computer readable medium associated with a target device coupled to the network, the 
computer readable medium including: 

a detection module configured to: 

that receives attack signatures assoc i ated with one or more previous attacks 
directed at a target device, 

monitor monitors one or more roceivod packets received from a source device 
to determine whether identify one or more of the received packets that include one or 
more harmful computer code signatures, and to further monitor, the received packets 
• to determine whether one or more of the received packets include identifying 
information that has a history of being included in packets associated with one or more 
previous attacks directed at the attack signatures, target device; and 

detect detects an attack directed at the target device when if one or more of the 
monitored packets include one or more of the harmful computer code signatures, and 
Page 4 of 20 

400997746vl 



Application Serial No.: 10/754,713 
Attorney Docket No.: 062070-0311769 
Reply and Amendment Accompanying RCE 

to further detect the attack if one or more of the monitored packets include the 
identifying information that has the history of beinR included in packets associated with 
the attack signatures previous attacks directed at the target device ; 
a scanning module that dotorminos configured to determine a severity of the detected 
attack directed at the target device; a«4 

a log creating module configured to create that creates an attack profile based on 
information related to associated with the detected attack, wherein the attack profile includes 
provides identifying information related to included in the monitored packets that include the 
harmful computer code signatures, and wherein the attack profile further provides the 
identifying information that has the history of being included in packets associated with the 
attack signature previous attacks directed at the target device ; and 
a blocking module configured to: 

that identifies a source of the packets that include information associated with 
the detected attack, instructs at least one dev i ce to block one or more of the monitored 
packets that include information associated with the attack profi l e from being 
transmitted to the target device, wherein the blocked packets include the identifying 
information provided in the attack profile; and 

instructs the at least one device to block one or more subsequently received 
packets from being transmitted to the target device when if the severity of the 
detected attack exceeds a predetermined threshold, wherein the subsequently blocked 
packets including one or more of include packets originating from the source device 
[[or]] and packets directed to the target device. 

11. (Currently Amended) The system according to claim 10, wherein the log creating 
module is further configured to store, in a database, identifying creates a record of the packets 
identified as inc l uding the information included in one or more packets associated with 
suspected or confirmed attacks directed at related to the detected attack target device . 
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12. (Currently Amended) The system according to claim 10, wherein the detection modu l o 
monitors the rocoivod packets by determ i ning at least one of identifying information [[or]] 
provided in the attack profile identifies a type of communication associated with the 
monitored packets detected attack . 

13. (Currently Amended) The system according to claim 10, wherein the scanning module 
is further configured to determine determines the severity of the detected attack based on at 
least one of a frequency of the previous attacks, a type of communication used in the previous 
attacks, an amount of bandwidth usage associated with the previous attacks, or a volume of 
the received packets. 

14. (Currently Amended) The system according to claim 10, wherein the blocking module 
is further configured to instruct blocks the packets from being transm i tted to the target device 
by instructing at least one of a router, a hub, a server, or a firewall to disable a communication 
channel connecting the source device to the target device in order to block the packets from 
being transmitted to the target device . 

15. (Currently Amended) The system according to claim 14, wherein the blocking modu l e 
blocks the subsequently received packets from being transmitted to the target device expires 
after at least one of [[for]] a predetermined amount of time , a predetermined period of 
inactivity, or an occurrence of a triggering event . 

16. (Currently Amended) A computer readable medium containing computer executable 
instructions for detecting and preventing attacks directed at a target system, the computer 
executable instructions operable to: 

receive one or more packets originating from a source system, wherein the received 
packets are directed to the target system; 

monitor the received packets to determine whether one or more of the received 
packets include one or more harmful computer code signatures, and further monitor the 
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received packets to identify determine whether one or more of the received packets that 
include identifying information associated with an attack signature, the attack signature that 
has a history of being included in packets associated with one or more previous attacks 
directed at the target system; 

detect an attack directed at the target system if one or more of the monitored packets 
include one or more of the harmful computer code signatures, and further detect the [[an]] 
attack directed at the target system when jf one or more of the monitored packets include the 
identifying information that has the history of being included in packets associated with the 
attack signatur e previous attacks directed at the target system ; 

create an attack profile based on information re l ated to associated with the detected 
attack, wherein the attack profile includes provides identifying information re l ated to included 
In the monitored packets that include the harmful computer code signatures, and wherein the 
attack profile further provides the identifying information that has the history of being 
included in packets associated with the attack signatur e previous attacks directed at the target 
system ; 

block one or more of the monitored packets that inc l ude i nformation assoc i ated w i th 
the attack profi l e from being transmitted to the target system , wherein the blocked packets 
include the identifying information provided in the attack profile; and ^ 

block one or more subsequently received packets from being transmitted to the target 
system when if a severity of the detected attack exceeds a predetermined threshold, wherein 
the subsequently blocked packets including one or more of include packets originating from 
the source system [for]] and packets directed to the target system. 

17. (Previously Presented) The computer readable medium according to claim 16, wherein 
the received packets are monitored transparently in real time. 

18. (Currently Amended) The computer readable medium according to claim 16, wherein 
the received packets are monitored after be i ng stored in a storage buffer and monitored upon 
release from the storage buffer . 
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19. (Currently Amended) The computer readable medium according to claim 16, wherein 
the instructions are further operable to determine the severity of the detected attack based on 
at least one of a frequency of the previous attacks, a type of communication used in the 
previous attacks, an amount of bandwidth usage associated with the previous attacks, or a 
volume of the received packets. 

20. (Currently Amended) The computer readable medium according to claim 16, wherein 
the instructions operable to block the packets from being transmitted to the target system are 
further operable to instruct by i nstructing at least one of a router, a hub, a server, or a firewall 
to disable a communication channel connecting the source system to the target system . 

21. (Currently Amended) The computer readable medium according to claim 16, wherein 
the instructions are further operable to notify the source system that the attack has been 
detected and that a block was placed on packets received from the source system. 

22. (Currently Amended) The computer readable medium according to claim 16, wherein 
blocking tho instructions operable to block the subsequently received packets from being 
transmitted to the target system expires after at least one of [[for]] a predetermined amount 
of ti m e , a predetermined period of inactivity, or an occurrence of a triggering event . 

23. (Currently Amended) A computer system configured for detecting and preventing 
attacks directed at target terminal devices, comprising: 

at least one terminal device; 

at least one server coupled to a computer network and to the terminal device, wherein 
the server is configured operab le to monitor packets directed to the terminal device, the server 
having one or more modules, including: 

a detection module configured to: 
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that rocoivos attack signatures assoc i ated with ono or moro previous 
attacks directed at the term i nal device, 

monitor monitors one or more received packets received from a source 
device to determine whether identify one or more of the received packets that 
include one or more harmful computer code signatures, and to further monitor 
the received packets to determine whether one or more of the received packets 
include identifying information that has a history of being included in packets 
associated with one or more previous attacks directed at the attack s i gnatures, 
terminal device; and 

detect detects an attack directed at the terminal device when if one or 
more of the monitored packets include one or more of the harmful computer 
code signatures, and to further detect the attack if one or more of the 
monitored packets include the identifying information that has the history of 
being included in packets associated with the attack signatures previous attacks 
directed at the terminal device; 

a log creating module configured to create that creates an attack profile based 
on information related to associated with the detected attack, wherein the attack 
profile inc l udes provides identifying information related to included in one or more of 
the monitored packets that include the harmful computer code signatures, and wherein 
the attack profile further provides the identifying information that has the history of 
being included in packets associated with the attack signature previous attacks directed 
at the terminal device; 

a scanning module that detorminos configured to determine a severity of the 
detected attack directed at the terminal device; and 
a blocking module configured to: 

that i dentifies a source of the packets that include information 
assoc i ated with the detected attack, instructs at l east ono switching device to 
block one or more of the monitored packets that include information associated 
with the attack profile from being transmitted to the terminal device, wherein 
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the blocked packets include the identifying information provided in the attack 
profile; and 

instructs the at l oast one switching device to block one or more 
subsequently received packets from being transmitted to the terminal device 
when if the severity of the detected attack exceeds a predetermined threshold, 
. wherein the subsequently blocked packets inc l uding one or more of include 
packets originating from the source device [[or]] and packets directed to the 
terminal device. 

24. (Currently Amended) The computer system according to claim [[23]] 25, wherein the 
log creating module is further configured to store, in the database, identifying creates a record 
of the packets ident i fied as inc l uding the information included in one or more packets 
associated with suspected or confirmed attacks directed at related to the detected attack 
terminal device . 

25. (Previously Presented) The computer system according to claim 23, further comprising 
a database coupled to the server. 

26. (Currently Amended) The computer system according to claim 23, wherein the 
detection modu l o monitors the received packets by determining at loast one of identifying 
information [[or]] provided in the attack profile identifies a type of communication associated 
with the monitored packets detected attack . 

27. (Currently Amended) The computer system according to claim 23, wherein the 
scanning module is further configured to determine determines the severity of the detected 
attack based on at least one of a frequency of the previous attacks, a type of communication 
used in the previous attacks, an amount of bandwidth usage associated with the previous 
attacks, or a volume of the received packets. 
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28. (Currently Amended) The computer system according to claim 23, wherein the 
blocking module is further configured to instruct blocks data packets from being transmitted to 
the terminal device by instructing at least one of a router, a, hub, a server, or a firewall to 
disable a communication channel connecting the source device to the terminal device in order 
to block the packets from being transmitted to the terminal device . 

29. (Currently Amended) The computer system according to claim 23, wherein tne 
blocking modulo blocks the subsequently received packets from being transmitted to the 
terminal device expires after at least one of [[for]] a predetermined amount of time, a 
predetermined period of inactivity, or an occurrence of a triggering event . 

30. (Currently Amended) The computer system according to claim 23, wherein the server 
js further configured operable to issue an alert to inform an administrator of the network of 
the detected attack directed at the terminal device. 

31. (Currently Amended) The method according to claim 3, wherein the subsequently 
blocked packets include information identifying including packets associated with one or more 
of the source Internet Protocol address, the source port number, the destination Internet 
Protocol address, or the destination port number. 

32. (Currently Amended) The method according to claim 1, wherein the attack profile 
inc l udes further provides identifying information included in one or more packets associated 
with one or more of re l ated to suspected and/or or confirmed attacks directed at the target 
system. 

33. (Currently Amended) The system according to claim 10, wherein the attack profile 
includes further provides identifying information included in one or more packets associated 
with one or more of re l ated to suspected and/or or confirmed attacks directed at the target 
system device . 
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34. (Currently Amended) The computer readable medium according to claim 16, wherein 
the attack profile inc l udes further provides identifying information included in one or more 
packets associated with one or more of re l ated to suspected and/or or confirmed attacks 
directed at the target system. 

35. (Currently Amended) The computer system according to claim 23, wherein the attack 
profile includes further provides identifying information included in one or more packets 
associated with one or more of ro l otod to suspected and/or or confirmed attacks directed at 
the target system terminal device . 

36. (New) The method according to claim 7, wherein disabling the communication channel 
causes packets that are suspected or confirmed of attacking the target system to be contained 
within the target system. 

37. (New) The method according to claim 7, further comprising: 

determining whether the source system originates internally or externally to a defined 
perimeter of the target system; 

notifying a user if the source system originates internally to the defined perimeter of 
the target system, wherein the user is notified that the communication channel has been 
disabled and that the attack originated internally to the defined perimeter of the target 
system; and 

enabling the communication channel for at least one system that runs a valid 
application over the communication channel if the source system originates externally to the 
defined perimeter of the target system. 

38. (New) The method according to claim 9, further comprising correlating a pattern for 
the detected attack to the severity of the detected attack to determine the amount of time 
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and the period, of inactivity after which blocking the subsequently received packets from being 
transmitted to the target system expires. 

39. (New) The method according to claim 32, further comprising storing, in a database, the 
identifying information included in the associated with the suspected or confirmed attacks 
directed at the target system. 

40. (New) The method of according to claim 39, further comprising: 

scanning the identifying information stored in the database to determine the severity of 
the detected attack; and 

enabling a user to view and modify the severity of the detected attack. 

41. (New) The method of according to claim 39, further comprising scanning the 
identifying information stored in the database to enable a reaction to the suspected or 
confirmed attacks based on one or more isolation policies. 

42. (New) The method according to claim 1, wherein the attack profile further provides 
information identifying a time of day and a frequency that that the monitored packets were 
received. 

43. (New) The method according to claim 1, wherein the subsequently blocked packets 
further include the identifying information provided in the attack profile. 

44. (New) The method according to claim 1, further comprising permanently blocking 
subsequently received packets originating from the source system from being transmitted to 
the target system if the severity of the detected attack indicates that the source system is a 
habitual attacker of the target system. 
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45. (New) The method according to claim 44, wherein a user can manually reset the 
permanent block on the subsequently received packets originating from the source system to 
allow a flow of packets originating from the source system to the target system. 
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